Simon McGarr, a solicitor and data protection expert, said sections of the GDPR made a legal case easier as there was a recourse to compensation for non-material loss, a lower legal hurdle to clear than traditionally would be the case in a civil case. He claimed it was “the largest contingent risk the State has ever faced”.
He said every public body that insisted on the card could be liable. “The liability is triggered by the fact they allowed data to be processed on their watch,” he said. Rossa McMahon, a solicitor with legal firm PG McMahon, said there was also a possibility of fines being handed down. “The scale of what DEASP [Department of Social Protection] holds and what they have done with the PSC certainly raises the prospect of significant fines in time. The wilfulness of other State agencies insisting on PSCs for transactions when they were totally unnecessary and had no legal basis is possibly an area of greater exposure for the State.
However the commissioner said there was no possibility of fines arising from its completed investigation as it was conducted under pre-GDPR legislation. However the Department of Social Protection said if another investigation was to be initiated based on the findings of the latest inquiry, fines could then be levied.